This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Diego_dg
Collaborator
‎2024-04-16 04:36 AM
Jump to solution

FTP data session with destination NAT silently dropped when acceleration is enabled on the gateway

Hi! I have an strange issue: previosly working FTP sessions have stopped working on our R81.10 firewall. FTP control session on port 21 is established but the data session is not established when acceleration is enabled. If I disable acceleration (fwaccel off), then the ftp data session is established without any issue. Only FTP flows with destination NAT have this issue: FTPs to the same ftp server but without destination NAT doesn't have this issue.

I am aware of the several types of FTP services available, I have tried using all the relevant types one by one (including ftp-pasv) but to no avail.

No drop is seen on the logs and neither with "fw ctl zdebug drop".

I have not found any change on the audit logs that could give a hint about what have caused this change on the behaviour of the firewall, maybe it is the ftp server the one that has been modified but I have no way to confirm that. I have rebooted the devices just in case but it didn't fix the issue.

Labels
0 Kudos
1 Solution

Accepted Solutions
Diego_dg
Collaborator
‎2024-06-16 10:28 PM
Jump to solution

Hello, TAC found the cause of the issue: if you mark the QoS checkbox on the interface but only on Inbound (not in Outbound) then the FTP data connections are silently dropped. 

View solution in original post

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2024-04-16 08:56 AM
Jump to solution

If "fwaccel off" solves an issue, then TAC has to be involved: https://help.checkpoint.com
Did you upgrade to a JHF recently? (Version/JHF info is useful)

0 Kudos
Diego_dg
Collaborator
‎2024-04-16 10:14 PM
In response to PhoneBoy
Jump to solution

Hi, this is R81.10 with JHF 83, it was installed almost one year ago, we have involved TAC.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-04-16 09:48 AM
Jump to solution

Agree with PhoneBoy TAC should be involved, in the meantime as a workaround you can force the problematic FTP traffic F2F/slowpath and avoid any acceleration with the procedure detailed here: sk104468: How to exclude traffic from SecureXL

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Diego_dg
Collaborator
‎2024-04-16 10:31 PM
In response to Timothy_Hall
Jump to solution

Hi, I already tried sk104468, adding all the involved IPs to the f2f_addresses section but to no avail... I will recheck it again because I still see the connections on the fwaccel conns table after configuring it.

I have found that some changes on the QoS blade were performed the day the issue started and have seen that they could be some issues with acceleration if QoS policy was created for R77. This is R81.10 JHF 83 but I am sure this policy has been running since R77 and upgraded to the current R81.10... I will try to disable QoS and check if the issue is still there. We have involved TAC. 

"If you have a QoS policy created for R77 and earlier, you will have to disable QoS acceleration to use other..."

0 Kudos
Diego_dg
Collaborator
‎2024-04-17 03:02 AM
In response to Diego_dg
Jump to solution

We disabled the QoS blade and the issue disappeared. We are talking with TAC about it.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-04-17 11:52 AM
In response to Diego_dg
Jump to solution

That definitely sounds like a bug 🙂

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-04-17 12:03 PM
In response to Diego_dg
Jump to solution

Sorry no ideas any more no much experience with QoS. TAC is indeed good step. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-04-16 01:50 PM
Jump to solution

This is a longshot, only reason I paste it here it is very specific to SecureXL and FTP:

https://support.checkpoint.com/results/sk/sk168952

Also FTP without encryption? So no FTPS? What Jumbo take? No NAT or VPN in the connection?

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Diego_dg
Collaborator
‎2024-04-16 10:33 PM
In response to Lesley
Jump to solution

Yes, this is FTP without encryption with not FTPS, they are running R81.10 JHF 83, there is no VPNs on this FW but there is NAT, in fact, we only have this issue when there is NAT on the FTP flow.

0 Kudos
Diego_dg
Collaborator
‎2024-06-16 10:28 PM
Jump to solution

Hello, TAC found the cause of the issue: if you mark the QoS checkbox on the interface but only on Inbound (not in Outbound) then the FTP data connections are silently dropped. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events